| 5564079 | Method for locating mobile stations in a digital telephone network | October, 1996 | Olsson | |
| 5684860 | Apparatus for automatically distributing calls between users and a fleet of mobile stations through a central station | November, 1997 | Milani et al. | 455/412.1 |
| 6112095 | Signature matching for location determination in wireless communication systems | August, 2000 | Wax et al. | |
| 6115605 | Communication system and device using dynamic receiver addressing | September, 2000 | Siccardo et al. | |
| 6134448 | System for detecting positional information | October, 2000 | Shoji et al. | |
| 6140964 | Wireless communication system and method and system for detection of position of radio mobile station | October, 2000 | Sugiura et al. | |
| 6198935 | System and method for time of arrival positioning measurements based upon network characteristics | March, 2001 | Saha et al. | |
| 6212391 | Method for positioning gsm mobile station | April, 2001 | Saleh et al. | |
| 6249252 | Wireless location using multiple location estimators | June, 2001 | Dupray | |
| 6259406 | Wireless communication system and method and system for detection of position of radio mobile station | July, 2001 | Sugiura et al. | |
| 6269246 | Location determination using RF fingerprinting | July, 2001 | Rao et al. | |
| 6275190 | Wireless communication system and method and system for detection of position of radio mobile station | August, 2001 | Sugiura et al. | |
| 6282427 | Selection of location measurement units for determining the position of a mobile communication station | August, 2001 | Larsson et al. | |
| 6304218 | Wireless communication system and method and system for detection of position of radio mobile station | October, 2001 | Sugiura et al. | |
| 6414634 | Detecting the geographical location of wireless units | July, 2002 | Tekinay | |
| 6415155 | Location system and method for identifying position of mobile terminal that can communicate based on repeater in radio zone, and mobile terminal that can communicate based on repeater in radio zone | July, 2002 | Koshima et al. | |
| 6441777 | Signal structure and processing technique for providing highly precise position, velocity, time and attitude information with particular application to navigation satellite systems including GPS | August, 2002 | McDonald | |
| 6456892 | Data driven interaction for networked control of a DDI target device over a home entertainment network | September, 2002 | Dara-Abrams et al. | |
| 6526283 | Device and method for tracking location of mobile telephone in mobile telecommunication network | February, 2003 | Jang | |
| 6556942 | Short range spread-spectrum radiolocation system and method | April, 2003 | Smith | |
| 6760318 | Receiver diversity in a communication system | July, 2004 | Bims | |
| 6788658 | Wireless communication system architecture having split MAC layer | September, 2004 | Bims | |
| 6925070 | Time-slotted data packets with a preamble | August, 2005 | Proctor, Jr. | |
| 6940827 | Communication system using OFDM for one direction and DSSS for another direction | September, 2005 | Li et al. | 370/278 |
| 6963740 | Secure enterprise communication system utilizing enterprise-specific security/trust token-enabled wireless communication devices | November, 2005 | Guthery et al. | 455/410 |
| 6978023 | Apparatus and method for location based wireless client authentication | December, 2005 | Dacosta | 380/258 |
| 7028097 | Wireless LAN with dynamic channel access management | April, 2006 | Bard | 709/232 |
| 7028183 | Enabling secure communication in a clustered or distributed architecture | April, 2006 | Simon et al. | 713/168 |
| 7032241 | Methods and systems for accessing networks, methods and systems for accessing the internet | April, 2006 | Venkatachary et al. | 726/4 |
| 7050480 | Code assignment algorithm for synchronous DS-CDMA links with SDMA using estimated spatial signature vectors | May, 2006 | Ertel et al. | 375/141 |
| 7068999 | System and method for detection of a rogue wireless access point in a wireless communication network | June, 2006 | Ballai | 455/411 |
| 7072315 | Medium access control for orthogonal frequency-division multiple-access (OFDMA) cellular networks | July, 2006 | Liu et al. | 370/329 |
| 7073066 | Offloading cryptographic processing from an access point to an access point server using Otway-Rees key distribution | July, 2006 | Nessett | 713/181 |
| 7103026 | Use of chip repetition to produce a flexible bandwidth DS-CDMA system | September, 2006 | Hall et al. | 370/335 |
| 7124197 | Security apparatus and method for local area networks | October, 2006 | Ocepek et al. | 709/232 |
| 7133842 | System, method and program for bidding for best solution process execution in a heterogeneous network | November, 2006 | Harif | 705/37 |
| 7146172 | Multi-carrier communications with adaptive cluster configuration and switching | December, 2006 | Li et al. | 455/452.1 |
| 7149896 | Methods and systems for providing security for accessing networks, methods and systems for providing security for accessing the internet | December, 2006 | Bahl et al. | 713/166 |
| 7164669 | Multi-carrier communication with time division multiplexing and carrier-selective loading | January, 2007 | Li et al. | 370/336 |
| 7177298 | Dynamic channel allocation in multiple-access communication systems | February, 2007 | Chillariga et al. | 370/348 |
| 7212837 | Method and system for hierarchical processing of protocol information in a wireless LAN | May, 2007 | Calhoun et al. | |
| 20020174335 | IP-based AAA scheme for wireless LAN virtual operators | November, 2002 | Zhang et al. | |
| 20020188723 | Dynamic frequency selection scheme for IEEE 802.11 WLANs | December, 2002 | Choi | |
| 20030023746 | Method for reliable and efficient support of congestion control in nack-based protocols | January, 2003 | Loguinov | |
| 20030117985 | NETWORK SECURITY SYSTEM, COMPUTER, ACCESS POINT RECOGNIZING METHOD, ACCESS POINT CHECKING METHOD, PROGRAM, STORAGE MEDIUM, AND WIRELESS LAN DEVICE | June, 2003 | Fujii et al. | |
| 20030135762 | Wireless networks security system | July, 2003 | Macaulay | |
| 20030188006 | Wireless LAN with dynamic channel access management | October, 2003 | Bard | |
| 20030198208 | Data network having a wireless local area network with a packet hopping wireless backbone | October, 2003 | Koos, Jr. et al. |
| EP0930514 | July, 1999 | System and method for identifying position of mobile terminal | ||
| EP0967816 | December, 1999 | FIELD INTENSITY DISTRIBUTION GENERATOR | ||
| EP1018457 | July, 2000 | POSITIONING SYSTEM AND MOBILE COMMUNICATION DEVICE | ||
| EP1296531 | March, 2003 | Processing of subscriber paths for locating a mobile terminal in a mobile network | ||
| EP1301055 | April, 2003 | Processing of geographical and movement data for locating a mobile terminal in a mobile network | ||
| JP02044929 | February, 1990 | |||
| WO/1998/041048 | December, 1998 | FIELD INTENSITY DISTRIBUTION GENERATOR | ||
| WO/1999/008909 | July, 2000 | POSITIONING SYSTEM AND MOBILE COMMUNICATION DEVICE | ||
| WO/1997/033386 | October, 2000 | SYSTEM FOR DETECTING POSITIONAL INFORMATION | ||
| WO/2002/043425 | May, 2002 | METHOD AND APPARATUS TO COUNTER THE ROGUE SHELL THREAT BY MEANS OF LOCAL KEY DERIVATION | ||
| WO/2002/054813 | July, 2002 | LOCATION ESTIMATION IN WIRELESS TELECOMMUNICATION NETWORKS | ||
| WO/2003/023443 | March, 2003 | METHOD FOR DETECTING LOCATION OF A MOBILE TERMINAL |
This application makes reference to the following commonly owned U.S. patent applications and/or patents, which are incorporated herein by reference in their entirety for all purposes:
U.S. patent application Ser. No. 10/155,938 in the name of Patrice R. Calhoun, Robert B. O'Hara, Jr. and Robert J. Friday, entitled “Method and System for Hierarchical Processing of Protocol Information in a Wireless LAN.”
The present invention relates to wireless computer networks and, more particularly, to methods, apparatuses and systems effecting a distributed security mechanism for wireless computer network environments.
The market adoption of wireless LAN (WLAN) technology has exploded, as users from a wide range of backgrounds and vertical industries brought this technology into their homes, offices, and increasingly into the public air space. This inflection point highlighted not only the limitations of earlier-generation systems, but the changing role WLAN technology now plays in people's work and lifestyles, across the globe. Indeed, WLANs are rapidly changing from convenience networks to business-critical networks. Increasingly users are depending on WLANs to improve the timeliness and productivity of their communications and applications, and in doing so, require greater visibility, security, management, and performance from their network.
As enterprises and other entities increasingly rely on wireless networks, security of wireless network environments becomes a critical component to ensure the integrity of the enterprise's network environment against unauthorized access. Indeed, wireless networks pose security risks not encountered in wired computer network, since any wireless client in the coverage area of an access point can potentially gain access to the network without a physical connection. In an 802.11 wireless network, prior art security mechanisms are implemented in a variety of manners. For example, the 802.11 protocol provides for shared-key authentication according to which a wireless client must possess a shared secret key in order to establish a wireless connection with an access point. In addition, as with wired networks, the wireless network infrastructure can operate in connection with application level security mechanisms, such as a RADIUS or other authentication server, to control access to network resources.
To establish a wireless connection with an access point, a wireless client or station (STA) transmits probe requests to discover the access point(s) within range. After selecting an access point, the wireless client transmits an authentication request to the selected access point. With open system authentication, the access point responds to the request, either accepting or rejecting the request. With shared-key authentication, the access point transmits a challenge response. To authenticate, the wireless must send an encrypted version of the challenge response (using a shared key) in an authentication frame back to the access point.
As one skilled in the art recognizes, each time an access point interacts with a wireless client associated with a malicious, unauthorized user, there is a risk that the malicious user can gain access to the network environment. After failing to connect at a first access point, a malicious or unauthorized user may simply move to another access point and attempt to establish a wireless connection. In prior art wireless network environments, however, there exists no mechanism for coordinating or distributing security policy across access points. Accordingly, the knowledge gleaned from interaction with a given wireless client at the first access point essentially goes unused when the user moves to a different coverage area and new access point, exposing the network to a new round of attacks.
In light of the foregoing, a need in the art exists for methods, apparatuses and systems that facilitate the distribution of security information across access points associated with a wireless network environment. A need further exists for methods, apparatuses, and systems that allow for the sharing of security information across access points to effect a unitary security scheme throughout a wireless network environment. Embodiments of the present invention substantially fulfill these needs.
The present invention provides methods, apparatuses and systems enabling a distributed wireless network security system. In one embodiment, the present invention provides a wireless network system where security policies are automatically distributed and uniformly implemented across wireless network access points. Embodiments of the present invention address the situation where a malicious user moves to a different access point within a wireless network environment after failing to properly authenticate and/or associate at a first access point. Embodiments of the present invention enable an integrated, multi-layer network security system, wherein a security mechanism at one layer (e.g., link layer security mechanisms) can set policies based on information gleaned from operation of a security mechanism at another layer (e.g., application layer authentication servers).
FIG. 1 is a functional block diagram setting forth a wireless network environment according to an embodiment of the present invention.
FIG. 2 is a flow chart illustrating a method directed to implementing a security policy at a given access element.
FIG. 3 is a flow chart providing a method associated with authenticating and associating users and setting policies for users based on authentication and/or association failures.
FIG. 4 is a functional block diagram illustrating operation of the security mechanism across a wireless network deployment according to an embodiment of the present invention.
For didactic purposes an embodiment of the present invention is described as operating in a WLAN environment as disclosed in U.S. application Ser. No. 10/155,938 incorporated by reference herein. As discussed below, however, the present invention can be implemented according to a vast array of embodiments, and can be applied to a variety of WLAN architectures.
FIG. 1 illustrates a wireless computer network environment according to an embodiment of the present invention. Referring to FIG. 1, there is shown block diagram of a wireless Local Area Network system 10 according to an embodiment of the invention. A specific embodiment of the invention includes the following elements: access elements 12 , 14 for wireless communication with selected client remote elements 16 , 18 , 20 , 22 , central control elements 24 , 26 , and means for communication between the access elements and the central control elements, typically direct line access 28 , 30 , but potentially a wireless backbone, fiber or other reliable link. In another embodiment, access elements 12 , 14 are directly connected to LAN 10 or a virtual local area network (VLAN) for communication with central control element 24 .
The access elements 12 - 15 are coupled via communication means using a wireless local area network (WLAN) protocol (e.g., IEEE 802.11a or 802.11b, etc.) to the client remote elements 16 , 18 , 20 , 22 . The communications means 28 , 30 between the access elements 12 , 14 and the central control element 24 is typically an Ethernet network, but it could be anything else which is appropriate to the environment. As described in U.S. application Ser. No. 10/155,938, the access elements 12 , 14 and the central control element 24 tunnel network traffic associated with corresponding remote client elements 16 , 18 ; 20 , 22 via direct access lines 28 and 30 , respectively. Central control element 24 is also operative to bridge the network traffic between the remote client elements 16 , 18 ; 20 , 22 transmitted through the tunnel with corresponding access elements 12 , 14 .
As described in the above-identified patent application, central control element 24 operates to perform link layer management functions, such as authentication and association on behalf of access elements 12 , 14 . For example, the central control element 24 provides processing to dynamically configure a wireless Local Area Network of a system according to the invention while the access elements 12 , 14 provide the acknowledgment of communications with the client remote elements 16 , 18 , 20 , 22 . The central control element 24 may for example process the wireless LAN management messages passed on from the client remote elements 16 , 18 ; 20 , 22 via the access elements 12 , 14 , such as authentication requests and authorization requests, whereas the access elements 12 , 14 provide immediate acknowledgment of the communication of those messages without conventional processing thereof. Similarly, the central control element 24 may for example process physical layer information. Still further, the central control element 24 may for example process information collected at the access elements 12 , 14 on channel characteristic, propagation, and interference or noise. Central control element 26 and associated access elements 13 , 15 operate in a similar or identical manner.
Authentication server 70 performs application-level authentication protocols, typically involving challenge-response queries involving, for example, a user name and password. Authentication server 70 can implement any suitable authentication mechanism, such as IEEE 802.1X, RADIUS, Kerberos, and web-based authentication protocols. In one embodiment, the functionality of authentication server 70 can be integrated into a Virtual Private Network (VPN) server.
As discussed more fully below, the wireless network security scheme according to the present invention employs a mobile station data structure including information characterizing a given remote client element, and a so-called black list defining the remote client elements that should not be provided network access. In one embodiment, the mobile station data structure includes a wireless client identifier (typically, the MAC address of the remote client element), a black list flag (in one embodiment, a “0” indicates that the associated client is not “black-listed,” while a “1” indicates that the client is black-listed). In another embodiment, the mobile station data structure may further includes a black list time stamp which, as described below, can be used to place remote client elements on a black list on a temporary basis. The mobile station data structure may also include a field maintaining a count of the number of unsuccessful authentication or association attempts. In one embodiment, central control elements 24 , 26 maintain the mobile station data structures and, as discussed below, share mobile station data structures to effect an enterprise-wide security scheme. The mobile station data structures can be implemented as entries in a mobile station table maintained by the central control elements. In another embodiments, the mobile station data structures may be implemented as software objects.
FIG. 2 illustrates a method directed to a security scheme that involves a blacklist operative to determine whether a remote client element may gain network access. FIG. 4 is a block diagram illustrating operation of the security scheme according to an embodiment of the present invention. In 802.11 wireless network environments, for example, a remote client element 16 may issue a probe request to which access elements 12 and/or 14 respond. Using the information in the probe response, remote client element 16 transmits an 802.11 authentication request (FIG. 4, # 1 ). As discussed above, in one embodiment, access element 12 tunnels the authentication request to central control element 24 . As FIG. 2 illustrates, when central control element 24 receives the authentication request ( 102 ), it queries all known central control elements (e.g., central control element 26 ), passing the MAC address of the remote client element 16 , for mobile station data structures associated with the remote client element. In one embodiment, the central control elements are operative to respond to the request by scanning their respective mobile station tables, and transmitting a message including the mobile station data structure or an indication that no information exists as to the identified remote client element 16 . Central control element 24 , scanning its own mobile station table and receiving the responses from the queried central control elements, determines whether a mobile station data structure exists for the remote client element ( 106 ). If no mobile station data structure is found, central control element 24 creates a new mobile station data structure for remote client element 16 , using its MAC address and setting the black list flag to “0” and the time stamp to the current time ( 118 ). Otherwise, central control element 24 identifies the latest mobile station data structure by comparing time stamps (if two or more versions exist), and enters the latest data structure into its mobile station table ( 108 ). Central control element 24 then looks at the value of the BlackList flag ( 110 ) to determine whether remote client element 16 should be allowed to attempt to establish access to the network. As FIG. 2 provides, if the BlackList flag is set to “1”, central control element 24 determines whether the time stamp associated with the mobile station data structure has expired ( 112 ). In one embodiment, if the time stamp value plus a configurable period of time is less (earlier) than the current time, then the time stamp is deemed expired. If the time stamp has expired, central control element 24 resets the BlackList flag to “0” and sets the time stamp to the current time ( 122 ). If the time stamp has not expired, central control element 24 , in one embodiment, resets the time stamp to the current time ( 114 ) and ignores the authentication request ( 116 ), preventing the remote client element 16 from associating with access element 12 and gaining access to the network.
Otherwise, assuming the remote client element 16 has not been black-listed, authentication and association protocols are performed ( 120 ), as set forth in FIG. 3. As FIG. 3 illustrates, the wireless network environment, in one embodiment, includes link layer authentication/association protocols (implemented by central control element 24 via an access element), and an application level authentication mechanism (implemented by authentication server 70 ). The present invention, however, can be applied using a variety of authentication and/or association schemes. In addition, as one skilled in the art will recognize, the link layer authentication and association protocols employed will depend on the wireless network protocols employed. In embodiments implementing the 802.11 protocol, central control element 24 performs an authentication of remote client element according to the 802.11 protocol ( 202 ). In one embodiment, central control element 24 through a corresponding access element implements a shared-key authentication scheme. As FIG. 3 illustrates, central control element 24 allows a threshold number of failed authentication attempts ( 203 ) before placing remote client element 16 on the black list ( 210 ) and terminating access ( 212 ). Similarly, central control element 24 allows a threshold number of failed association attempts ( 204 , 205 ) before placing the remote client element 16 on the black list. Assuming remote client element 16 successfully authenticates and associates to an access element, central control element 24 directs remote client element 16 to authentication server 70 ( 206 ). As above, remote client element 16 is allowed a threshold number of authentication attempts ( 207 ), before being placed on the black list.
In one embodiment, the attempt threshold is a configurable parameter, which can be applied individually to each security layer or on an aggregate basis to all failed attempts in the authentication and association protocol implemented by the wireless network infrastructure. Moreover, as discussed above, the mobile station data structure may further include a field maintaining a count of the number of failed authentication attempts to prevent against an attack where the wireless client moves to a coverage area associated with another access point/central control element before exceeding the attempt threshold and being placed on a black list. In such an embodiment, the attempts field could be reinitialized when the wireless client successfully passes the security scheme implemented by the network environment. In addition, the time stamp value could be updated with each failed attempt to allow for time-based decisions to reset the counts after a threshold period of time after the last attempt.
FIG. 4 demonstrates the security scheme effected by the embodiment discussed above. For example, a remote client element 16 in the coverage area associated with access element 12 is placed on a black list after failing to authenticate (FIG. 4, #1). The user then moves remote client element 16 to the coverage area associated with access element 14 (#2). Access element 14 , under the management of central control element 24 , denies access to remote client element 16 (in one embodiment, by ignoring authentication or association requests), as long as the remote client element remains on the black list. The user then moves to a coverage area associated with access element 13 under the management of central control element 26 (#3). Given that the central control elements exchange mobile station data structures, remote client element 16 is again denied access to the network.
In addition, beyond the sharing of security policy information across access elements in a wireless network environment, the present invention achieves an enhanced network security system by allowing information gleaned from security policies at one level (e.g., application layer security) to be used in setting security policies at a different level or layer. For example, assume for didactic purposes that a remote client element properly authenticates and associates at the 802.11 or other link layer, but fails to properly authenticate at the application layer with authentication server 70 , for example. After a threshold number of attempts, the remote client element is “black-listed.” As one will recognize, the security state associated with the remote client element 16 extends to other security mechanism at lower layers. In the embodiment described herein, for example, the remote client element would be prevented from authenticating or associating with an access element at the link layer during a subsequent attempt to establish a connection. As one skilled in the art, this aspect of the invention has application to wired networks as well. For example, in a LAN including DHCP functionality and an authentication server, the DHCP server associated with the LAN can maintain a blacklist (identifying clients by MAC address) and deny requests for dynamic IP addresses based on the state of the black list. In one embodiment, the DHCP server can implement the blacklist by reserving an inoperative (e.g., non-routable, or the loop back address) IP address for the particular black-listed client(s). The DHCP server can release a client-from the black list by normal termination of the DHCP address lease. In another embodiment, a client node is placed on the black list after a threshold number of failed attempts to authenticate with the authentication server.
A variety of embodiments are possible. For example, the central control elements can be configured to publish or push updates to mobile station data structures (e.g., changes in security state information) to other known central control elements. In addition, the central control elements can be manually configured with the computer network address of neighboring central control elements to allow for exchange of mobile station data structures. In other embodiments, the central control elements may include various layer 2 or layer 3 discovery mechanisms to automatically configure the exchange of mobile station data structures. In addition, the present invention can be applied to a variety of other wireless network architectures. For example, the wireless network infrastructure need not include central control elements. For example, the mobile station tables and associated security and link layer management functionality performed by the central control elements may be integrated into the access elements to operate in a substantially autonomous mode (obviating the use of the central control elements). In addition, a central management appliance can be introduced to manage and coordinate the exchange of mobile station data structures among the wireless access points.
Accordingly, the invention has been explained with reference to specific embodiments. Other embodiments will be evident to those of ordinary skill in the art. It is, therefore, intended that the claims set forth below not be limited to the embodiments described above.